Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:31380 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42595 invoked by uid 1010); 2 Aug 2007 16:24:02 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 42571 invoked from network); 2 Aug 2007 16:24:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2007 16:24:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=ilia@prohost.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ilia@prohost.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain prohost.org from 64.233.166.182 cause and error) X-PHP-List-Original-Sender: ilia@prohost.org X-Host-Fingerprint: 64.233.166.182 py-out-1112.google.com Received: from [64.233.166.182] ([64.233.166.182:65148] helo=py-out-1112.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AB/F0-35404-D1502B64 for ; Thu, 02 Aug 2007 12:24:00 -0400 Received: by py-out-1112.google.com with SMTP id f31so1760520pyh for ; Thu, 02 Aug 2007 09:23:53 -0700 (PDT) Received: by 10.35.10.13 with SMTP id n13mr3101667pyi.1186071463827; Thu, 02 Aug 2007 09:17:43 -0700 (PDT) Received: from ?192.168.1.119? ( [204.101.63.110]) by mx.google.com with ESMTPS id f77sm3390480pyh.2007.08.02.09.17.42 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 02 Aug 2007 09:17:43 -0700 (PDT) In-Reply-To: <646722839.20070802152710@marcus-boerger.de> References: <46B129BE.3050807@zend.com> <403752205.20070802134118@marcus-boerger.de> <79496594-20B5-40C4-AC22-1F3DE99BA695@prohost.org> <646722839.20070802152710@marcus-boerger.de> Mime-Version: 1.0 (Apple Message framework v752.3) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: <54964858-297A-41A6-AC26-AEBCAE2BCE16@prohost.org> Cc: PHP Internals Content-Transfer-Encoding: 7bit Date: Thu, 2 Aug 2007 12:17:40 -0400 To: Marcus Boerger X-Mailer: Apple Mail (2.752.3) Subject: Re: [PHP-DEV] ini system patch From: ilia@prohost.org (Ilia Alshanetsky) Marcus, I've already said a several times that post 5.2.4 work on 5.3 will begin. This patch however IS a security fix, so the option is to ignore the bug or fix it, I am for fixing it rather the delaying the fix until 5.3 is released. On 2-Aug-07, at 9:27 AM, Marcus Boerger wrote: > Hello Ilia, > > i'd suggest so. From my perspective 5.2 is pretty stable, tested and > secure now. But more and more people want more and more stuff into > 5.*. > So i think we should change into a strict RM approval equired security > fixes only mode for 5.2 and start on 5.3. Also i think we should give > that at least three month for adding new stuff. Major things i'd like > to see would be namespaces and adding pecl packages icu (or whatever > the name is) plus phar. Well we have the todo on lukas' site. > > marcus > > Thursday, August 2, 2007, 2:15:13 PM, you wrote: > >> Marcus, > >> Well, do you propose we leave the issue be until 5.3? > > >> On 2-Aug-07, at 7:41 AM, Marcus Boerger wrote: > >>> Hello Ilia, >>> >>> as much as i agree with ading the stage it is a BC issue! >>> >>> Thursday, August 2, 2007, 3:26:00 AM, you wrote: >>> >>>> Stas, >>> >>>> It looks like the best solution in this case. I don't like the idea >>>> of introducing another INI stage in minor release, but I can't >>>> think >>>> of a better way to address this issue at this time and I cannot >>>> imagine it breaking much stuff. >>> >>>> On 1-Aug-07, at 8:47 PM, Stanislav Malyshev wrote: >>> >>>>> Hi! >>>>> >>>>> The attached patch implements the following improvement in Apache >>>>> module configuration handling: >>>>> >>>>> New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values >>>>> set in .htaccess are passed to handlers with >>>>> ZEND_INI_STAGE_HTACCESS instead of ZEND_INI_STAGE_ACTIVATE. >>>>> >>>>> The reason for this is that there are values - one of them being >>>>> session.save_handler - that we want to allow administrator to set >>>>> to arbitrary values, even not inside open_basedir/safe_mode >>>>> restrictions, while we do want user-set values to be inside >>>>> limits. >>>>> The problem was that right now there's no way to see if the value >>>>> is set from httpd.conf (admin) or from .htaccess (frequently user- >>>>> accessible and user-writable). This patch enables to make such >>>>> distinction. >>>>> I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE >>>>> but if >>>>> there would be they can easily be fixed to work with >>>>> ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2 >>>>> SAPI >>>>> only, but same one would be needed for apache1 API. >>>>> >>>>> This patch will allow proper fix for CVE-2007-3378 (current one >>>>> breaks BC). >>>>> >>>>> Comments/objections? >>>>> -- >>>>> Stanislav Malyshev, Zend Software Architect >>>>> stas@zend.com http://www.zend.com/ >>>>> (408)253-8829 MSN: stas@zend.com >>>>> Index: Zend/zend_ini.h >>>>> ================================================================== >>>>> = >>>>> RCS file: /repository/ZendEngine2/zend_ini.h,v >>>>> retrieving revision 1.34.2.1.2.3 >>>>> diff -u -r1.34.2.1.2.3 zend_ini.h >>>>> --- Zend/zend_ini.h 1 Jan 2007 09:35:46 -0000 1.34.2.1.2.3 >>>>> +++ Zend/zend_ini.h 2 Aug 2007 00:40:52 -0000 >>>>> @@ -189,6 +189,7 @@ >>>>> #define ZEND_INI_STAGE_ACTIVATE (1<<2) >>>>> #define ZEND_INI_STAGE_DEACTIVATE (1<<3) >>>>> #define ZEND_INI_STAGE_RUNTIME (1<<4) >>>>> +#define ZEND_INI_STAGE_HTACCESS (1<<5) >>>>> >>>>> /* INI parsing engine */ >>>>> typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int >>>>> callback_type, void *arg); >>>>> Index: sapi/apache2handler/apache_config.c >>>>> ================================================================== >>>>> = >>>>> RCS file: /repository/php-src/sapi/apache2handler/ >>>>> apache_config.c,v >>>>> retrieving revision 1.7.2.1.2.2 >>>>> diff -u -r1.7.2.1.2.2 apache_config.c >>>>> --- sapi/apache2handler/apache_config.c 1 Jan 2007 09:36:12 >>>>> -0000 >>>>> 1.7.2.1.2.2 >>>>> +++ sapi/apache2handler/apache_config.c 2 Aug 2007 00:40:52 >>>>> -0000 >>>>> @@ -51,6 +51,7 @@ >>>>> char *value; >>>>> size_t value_len; >>>>> char status; >>>>> + char htaccess; >>>>> } php_dir_entry; >>>>> >>>>> static const char *real_value_hnd(cmd_parms *cmd, void *dummy, >>>>> const char *name, const char *value, int status) >>>>> @@ -67,7 +68,8 @@ >>>>> e.value = apr_pstrdup(cmd->pool, value); >>>>> e.value_len = strlen(value); >>>>> e.status = status; >>>>> - >>>>> + e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF)) >>>>> == 0); >>>>> + >>>>> zend_hash_update(&d->config, (char *) name, strlen(name) + >>>>> 1, &e, >>>>> sizeof(e), NULL); >>>>> return NULL; >>>>> } >>>>> @@ -170,7 +172,7 @@ >>>>> zend_hash_move_forward(&d->config)) { >>>>> zend_hash_get_current_data(&d->config, (void **) >>>>> &data); >>>>> phpapdebug((stderr, "APPLYING (%s)(%s)\n", str, >>>>> data->value)); >>>>> - if (zend_alter_ini_entry(str, str_len, data->value, >>>>> data- >>>>>> value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) { >>>>> + if (zend_alter_ini_entry(str, str_len, data->value, >>>>> data- >>>>>> value_len, data->status, data->htaccess? >>>>> ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) { >>>>> phpapdebug((stderr, "..FAILED\n")); >>>>> } >>>>> } >>>>> >>>>> -- >>>>> PHP Internals - PHP Runtime Development Mailing List >>>>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>>> Ilia Alshanetsky >>> >>> >>> >>> >>> Best regards, >>> Marcus >>> > >> Ilia Alshanetsky > > > > > Best regards, > Marcus > Ilia Alshanetsky